HTTP git server on nginx
Git project has recently launched smart http server which enables one to use git remotely over http instead of default ssh protocol. I can foresee http becoming the primary protocol to interact with remote git servers in future. Current documentation of git-http-backend only gives instructions for Apache.
However, I wanted to setup git over https using nginx, haproxy (for SSL offloading). Here are the working code snippets which enabled me to set up git remote server over https on Ubuntu 14.04 LTS.
Install nginx, git, fcgiwrap
sudo apt-get install nginx git fcgiwrap
Add the following lines to /etc/nginx/fastcgi_params
ubuntu@gitserver:~$ tail -2 /etc/nginx/fastcgi_params # Pass authenticated username to CGI app fastcgi_param REMOTE_USER $remote_user;
Create a new file in nginx configuration for git server
ubuntu@gitserver:~$ cat /etc/nginx/sites-available/git server { listen :80; server_name gitserver.example.com; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/passwd; location ~ (/.*) { fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_PROJECT_ROOT /srv/git; fastcgi_param PATH_INFO $1; include fastcgi_params; } }
Create a symlink
sudo ln -s /etc/nginx/sites-available/git /etc/nginx/sites-enabled/git
This enables a git server on http://gitserver.example.com with restricted authentication via nginx. Nginx supports authentication using htpasswd or even linux crypt authentication. I personally use 5,000 rounds of SHA-512 with random salt (default linux shadow password implementation).
If you want to go extra mile and move this http based git to https, we can set up haproxy to do SSL offloading. Working haproxy (using haproxy 1.5.4) config file
ubuntu@gitserver:~$ cat conf.haproxy.txt global log 127.0.0.1 local0 tune.ssl.default-dh-param 2048 maxconn 4096 user nobody group nogroup daemon pidfile /var/run/haproxy.pid stats socket /var/run/socket-haproxy level admin defaults log global mode http option httplog option dontlognull option httpclose option redispatch timeout client 30s timeout server 30s timeout connect 1s timeout http-keep-alive 60s timeout http-request 15s stats enable stats refresh 10s stats uri /stats frontend https bind 0.0.0.0:443 ssl crt /home/ubuntu/ssl.pem no-sslv3 ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK default_backend server backend server server 1 127.0.0.1:80
The above SSL configuration got me A on ssl labs with support for everything but IE 6 on XP, IE 8 on XP and Java 6.
The ssl.pem used above looks like
-----BEGIN RSA PRIVATE KEY----- private key file goes here. keep this secret -----END RSA PRIVATE KEY----- -----BEGIN DH PARAMETERS----- generate dh paramerets regularly for forward secrecy use "openssl dhparam -outform pem -out dh2048.pem 2048" -----END DH PARAMETERS----- -----BEGIN CERTIFICATE----- signed cert goes here -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- chained cert goes here - depends on who signed your CSR -----END CERTIFICATE-----